Posted
by
Soulskill
on Friday July 09, 2010 @02:35PM
from the penguins-with-guns dept.

Trailrunner7 writes "A security expert has released a stripped-down Ubuntu distribution designed specifically for reverse-engineering malware. The OS, called REMnux, includes a slew of popular malware-analysis, network monitoring and memory forensics tools that comprise a very powerful environment for taking apart malicious code. REMnux is the creation of Lenny Zeltser, an expert on malware reverse engineering who teaches a popular course on the topic at SANS conferences. He put the operating system together after years of having students ask him which tools to use and what works best. He originally used Red Hat Linux, but recently decided that Ubuntu was a better fit. REMnux has three separate tools for analyzing Flash-specific malware, including SWFtools, Flasm and Flare, as well as several applications for analyzing malicious PDFs, including Didier Stevens' analysis tools. REMnux also has a number of tools for de-obfuscating JavaScript, including Rhino debugger, a version of Firefox with NoScript, JavaScript Deobfuscator and Firebug installed, and Windows Script Decoder."

Malware often uses low-level code and tricks which makes them break when they are being run in an emulator. They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run Windows executables with this so that they actually work normally?

For example Mac OSX malware is not yet at the point where it's particularly hard to analyze, they're mostly just shell scripts or executables with no low level tricks.

Yes, and likely you've already de-compiled the binary if you know where to insert a 'jmp' to another point in the stack to keep the malware from detecting the virtualization and attempting to avoid its own detection. So, I'm really not sure what you're "uh, no"-ing about.

If you're reading the code enough to know where to insert jumps, and where to point them, then you are halfway to just reading the fucking code and finding out what it does instead of trying to blackbox test it.

Malware often uses low-level code and tricks which makes them break when they are being run in an emulator. They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run Windows executables with this so that they actually work normally?

While some malware detects VMs and some fails to run in VMs, not much that I've seen detects VMs then behaves significantly differently or intentionally refuses to run. The Conficker family, for example, detects VMs, then reports on connection to the control channel that it is a VM in addition to the other system info.

As to working around this problem, the way I've seen it done is expensive hardware designed for the purpose, that lets you analyze what is happening from a "watcher" machine and revert the mac

I've always envisioned a ubuntu on a USB stick (yes I know that exists) - loaded with a user friendly malware scanners (like Malwarebytes), that could be plugged in to a windows machine for scanning/repair. I know this is entirely possible, but I'm talking about more of a "shrinkwrapped" Ubuntu sub-flavor preconfigured for this very thing...

Problem is that malware scanners come and go in terms of effectiveness.

I'd even go as far as to say that Malwarebytes no longer holds my top spot for Anti-malware, as there are a few that seem a little more effective, or at least, effective in some areas that MB lacks. SuperAntiSpyware, iobit security 360, there's a handful of them that pick up things MB miss.

Even those won't be good forever. We're talking an ubuntu distro that has to change every 6 months or so. Not that it'd be a bad project, in fact, it

Right, you'd have to have someway of mixing and matching scanning tools as they loose relevancestill if that was managed through the repository so that dummies like myself could keep it viable, it would be pretty cool...

They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run a Windows executable with this so that they actually work normally?

All the more reason to run Windows within a Linux emulation! This is exactly why 7 Server 2008 and Vista are not catching on as quickly as Microsoft wants them to in the real world. They are too hard to run under emulation whereas server 2003 and XP can be backed up and just run on an IBM, HP or Dell blade within a Linux core. Run a good server raid that has isolation and guess what.. no problem dealing with even the most sophisticated of Window malware. You just make sure that the core OS which is Linux c

And what the hell, so we have malware analyzer distribution in the story, a honey pot distribution in the parent, why don't we finish off this security distribution triumvirate with a penetration tester distribution as well: http://www.backtrack-linux.org/ [backtrack-linux.org]

Yep. Backtrack seems better than an Ubuntu, for a pentesting suite, I think.

I like Ubuntu, and I've installed it at the house, because the wife likes it too. But, for pentesting and analysis, you just don't need, or even want, all the pretties and the extra libraries and apps that Ubuntu lugs around as baggage.

Backtrack doesn't have EVERYTHING a guy might want for every purpose - or it didn't the last time I looked - but you can easily install anything that you need.

From one way of thinking, Debian is Ubuntu stripped down in one specific way. If you don't want Ubuntu stripped down in that specific way, then you're possibly better off stripping down Ubuntu to what you want, rather than trying to add to Debian (and probably prune other things from Debian that you didn't want anyways).

[...] Although one can say Debian is a stripped down Ubuntu, it does not follow that all stripped down Ubuntus are Debian.

uh? from the ubuntu site:Commercially sponsored Debian-derived Linux distribution that focuses on...
It's based on Debian, so if you strip down Ubuntu, you'll get Debian.
I don't see the point of stripping down Ubuntu, though? I find it easier to start with a streamed down system, and just add whatever I need, using for instance this:http://www.debian.org/CD/netinst/ [debian.org]
It works great, and preserves your other previously installed operating system(s)

Remixing is useful for forensics, kind of hard to use Backtrack style distros when you need to customize your live CD at every boot.

Im making one at the moment because I deal with a lot of broken windows installations. I had been carrying around (in addition to Windows reinstall disks) DBAN, OphCrack, the NT password reset tool, and Ubuntu (for killing off rootkits), plus several tools on a USB drive, but there are several downsides to this approach:

As a PC repairman it sounds like a good idea you've got there. Add a few scripts that will hunt for the most requested saved files (*.jpg, *.mp3, etc) and it sounds like you'll have a repairman's Swiss army knife o' goodness. If you decide to release it on the web, send me a link?

We use SuSE studio to build distros that work with particular hardware with our software and dependency's already installed, configured, and ready to go for our client. Usually these are configured as LiveDVD's so the end user can load from the DVD rom, test make sure everything works before double clicking the the "Install now" icon and install on their machines.

Want to know the really interested part: we've yet to sell a single Linux install distro. Not one. We've given a few out for demos. But all ou

People don't flock to OS X for the same reason that people don't flock to BMW's from Chevrolets.

Because the BMW driver is generally an inconsiderate self-centred asshole who buys an overpriced toy for a sense of belonging to an elite group, but most people aren't? You'll have to explain to me the cunning detail of your point because car analogies are usually cutting and sophisticated and I'm not very good with cars.

Ignoring substantial ways in which they're different, they are very much the same. The GUI is very much irrelevant on a 'phone and as long as it has a subset of the GNU userland tools it's basically a successful redistribution of Debian.

To a certain extent I agree with you - there are too many distros that are just Ubuntu with a different wallpaper and a bunch of codecs preinstalled. However, after that I have little sympathy for that view. There's plenty of good reasons to remix a Linux distro for a particular purpose.

Take mass installs. Say you're installing Ubuntu on a large number of corporate desktops, but you want to change a few of the installed applications (say, switch the email client to Thunderbird, replace Firefox with Chrome e

Try Hiren's boot CD. It will run on it's on version of Windows and has lots of tools. Not perfect for everything, but a lot of things. It's recompilable, also. It's an ISO download, just burn it, and reboot.
http://www.hirensbootcd.net/ [hirensbootcd.net] I'm not Hiren but it's free and handy. Which are my primary criteria.